VDB
RHSA-2025%3A1711
RHSA-2025%3A1711
PUBLISHED
CVSS 8.600000381469727 HIGH
A file descriptor leak issue was found in the runc package. While a user performs `O_CLOEXEC` all file descriptors before executing the container code, the file descriptor is open when performing `setcwd(2)`, which means that the reference can be kept alive in the container by configuring the working directory to be a path resolved through the file descriptor. The non-dumpable bit is unset after `execve`, meaning there are multiple ways to attack this other than bad configurations. The only way to defend against it entirely is to close all unneeded file descriptors.
Risk Scores
CVSS 3.1
8.600000381469727
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | openshift4/ose-cluster-kube-cluster-api-rhel9-operator@sha256:dc100d36de829cc6e4866b93fc3229ed43a3ab3385ffe6cced3b4d2e6ac92e9e_ppc64le as a component of Red Hat OpenShift Container Platform 4.15 | openshift4/ose-cluster-kube-cluster-api-rhel9-operator@sha256:dc100d36de829cc6e4866b93fc3229ed43a3ab3385ffe6cced3b4d2e6ac92e9e_ppc64le |
| Red Hat | openshift4/ose-gcp-cloud-controller-manager-rhel9@sha256:a8bdef0206a2c828889b898bf05859b9b1a8d7208fa56a369f9b3e9bbe5d14f6_amd64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | openshift4/ose-multus-route-override-cni-rhel8@sha256:599ab3ff8bb3ad32ca8857e60135fc3085ce21a42381d1c7069606437871b8fe_arm64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | openshift4/ose-monitoring-plugin-rhel8@sha256:7cdef3010021b866a164fc596a807048d0c3c064380f9ac2033f4e8494dc2da7_ppc64le as a component of Red Hat OpenShift Container Platform 4.15 | openshift4/ose-monitoring-plugin-rhel8@sha256:7cdef3010021b866a164fc596a807048d0c3c064380f9ac2033f4e8494dc2da7_ppc64le |
| Red Hat | openshift4/ose-csi-node-driver-registrar@sha256:e692a6c20b93de3b64231c61a2db0862c680135b084737a015afdba071bc1e60_arm64 as a component of Red Hat OpenShift Container Platform 4.15 | openshift4/ose-csi-node-driver-registrar@sha256:e692a6c20b93de3b64231c61a2db0862c680135b084737a015afdba071bc1e60_arm64 |
| Red Hat | openshift4/ose-kube-proxy-rhel9@sha256:54c5c69de3c50a4c6a733b99cf226660c5accb14f7e5ece59a1ffe76aaa0d788_arm64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | openshift4/ose-machine-os-images-rhel8@sha256:2f9597e875d86aa9f49ab25e1becdbc787b2872d0f1f3f1a319a0d4312a1d10b_arm64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | openshift4/ose-csi-external-provisioner@sha256:7dde4d19aab3a0b52a30b7e4285e2b6a2b774d01e7a6cceaa147c329568d0ec3_s390x as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | openshift4/ose-aws-cluster-api-controllers-rhel9@sha256:c4252ad51caca8425ef1a76c121055b80736229fb70fce1613a6fb9af5bad45a_arm64 as a component of Red Hat OpenShift Container Platform 4.15 | openshift4/ose-aws-cluster-api-controllers-rhel9@sha256:c4252ad51caca8425ef1a76c121055b80736229fb70fce1613a6fb9af5bad45a_arm64 |
| Red Hat | openshift4/ose-machine-api-provider-gcp-rhel9@sha256:3b810843fe78cad644673b02d273f921033ffc87b560a767e34242df222241e6_ppc64le as a component of Red Hat OpenShift Container Platform 4.15 | * |
| Red Hat | openshift4/ose-gcp-pd-csi-driver-operator-rhel8@sha256:906a764adcd4260e3558134cf3091bedcfb2f3de54d8948cd4a974134ec088b3_ppc64le as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | openshift4/ose-cluster-autoscaler-rhel9-operator@sha256:b6fcade7c8f8a540c88f2fb0f5635373ecf18dce85e19fd8568439866586d524_amd64 as a component of Red Hat OpenShift Container Platform 4.15 | openshift4/ose-cluster-autoscaler-rhel9-operator@sha256:b6fcade7c8f8a540c88f2fb0f5635373ecf18dce85e19fd8568439866586d524_amd64 |
| Red Hat | openshift4/ose-cluster-image-registry-rhel9-operator@sha256:12d0eed42976a4aea6aba23babeed6796d156b94c697e7e2c4ebb288be02efa5_amd64 as a component of Red Hat OpenShift Container Platform 4.15 | * |
| Red Hat | openshift4/driver-toolkit-rhel9@sha256:cca0c93c8f1ec35bf40b0fd03fc835b964974312eb4127bd319b5740efb5b634_s390x as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | openshift4/ose-configmap-reloader-rhel9@sha256:a7c69aed05576a845c1447ce5df8bea37db4d40835d056fcab52d6015f9fef04_s390x as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | openshift4/kube-metrics-server-rhel8@sha256:07b62f51a52413ff5fb55448e00563ba0dd0de100c15b4cb6158cb445dede3df_ppc64le as a component of Red Hat OpenShift Container Platform 4.15 | openshift4/kube-metrics-server-rhel8@sha256:07b62f51a52413ff5fb55448e00563ba0dd0de100c15b4cb6158cb445dede3df_ppc64le |
| Red Hat | openshift4/ose-cluster-update-keys-rhel9@sha256:3615c8b014c6612a838dddb86311cbd4c0134732c6e7d4b31fcb90797c961c58_arm64 as a component of Red Hat OpenShift Container Platform 4.15 | openshift4/ose-cluster-update-keys-rhel9@sha256:3615c8b014c6612a838dddb86311cbd4c0134732c6e7d4b31fcb90797c961c58_arm64 |
| Red Hat | openshift4/ose-csi-external-provisioner-rhel8@sha256:7dde4d19aab3a0b52a30b7e4285e2b6a2b774d01e7a6cceaa147c329568d0ec3_s390x as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | openshift4/ose-csi-node-driver-registrar@sha256:2f7fb5dd642ead13b38523ddc0d2a5cb80b3bca5cc87948fd8e1614450851c16_amd64 as a component of Red Hat OpenShift Container Platform 4.15 | *, *, * |
| Red Hat | openshift4/network-tools-rhel8@sha256:6fedcb484f94ff0d978fd8421f177206995117acbc9b61da8ff1d6e3117944cc_ppc64le as a component of Red Hat OpenShift Container Platform 4.15 | openshift4/network-tools-rhel8@sha256:6fedcb484f94ff0d978fd8421f177206995117acbc9b61da8ff1d6e3117944cc_ppc64le |
…and 1311 more
Timeline
- Feb 27, 2025 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Jul 13, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:1711 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://access.redhat.com/security/vulnerabilities/RHSB-2024-001 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2258725 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2329817 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2333122 issue
- https://issues.redhat.com/browse/OCPBUGS-28706 advisory
- https://issues.redhat.com/browse/OCPBUGS-41815 advisory
- https://issues.redhat.com/browse/OCPBUGS-46403 advisory
- https://issues.redhat.com/browse/OCPBUGS-47716 advisory
- https://issues.redhat.com/browse/OCPBUGS-47766 advisory
- https://issues.redhat.com/browse/OCPBUGS-48083 advisory
- https://issues.redhat.com/browse/OCPBUGS-48593 advisory
- https://issues.redhat.com/browse/OCPBUGS-49836 advisory
- https://issues.redhat.com/browse/OCPBUGS-50526 advisory
- https://issues.redhat.com/browse/OCPBUGS-50661 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_1711.json advisory
- https://access.redhat.com/security/cve/CVE-2024-21626 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-21626 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-21626 advisory
…and 15 more